> Note that it's the nf_mark we will be setting. But: > get/setsockopt(fd, SOL_SOCKET, SO_MARK, ...)
That allows you to set a mark for your outgoing packets, and find out what mark is in effect on outgoing packets. There's still a large piece of the puzzle missing, namely finding out what mark is carried by incoming requests, since this determines that mark that goes on the forwarded query (when it cannot be answered from cache). Otherwise the mark could be calculated somehow from the client address, but this is very unlikely to yield a generally useful solution. Much better to let the client-mark association be set using iptables rules for each particular installation.
